A classification of RE papers:(A)re we researching or designing RE techniques?

Discussion of a paper in RE program committees is often\ud complicated by lack of agreement about evaluation criteria\ud to be applied to the paper. For some years now, successive\ud program chairs have attempted to increase clarity by\ud including a paper classification in their CFP, and making the\ud evaluation criteria per paper class explicit. This short note\ud presents a paper classification based on this experience. It\ud can be used as guide by program chairs. It can also be used\ud by authors as well as reviewers to understand what kind of\ud paper they are writing or reviewing, and what criteria should\ud be applied in evaluating the paper

The Development of a Graduate Curriculum for Software Assurance

One of our challenges as educators is timely incorporation of research into curricula that can be adopted by universities toultimately improve software engineering practice. In this paper, we describe the work of the Master of Software Assurancecurriculum project. This includes our sources, process, products, adoption strategies, and early adoption experiences. Theproject used research results, prior curricula, and documented bodies of knowledge to develop a new curriculum. We arenow working with early adopters and employing a number of transition mechanisms as part of our strategy to furtheradoption in this critical area

Using Cybersecurity Body of Knowledge (CyBOK) Case Studies to Enhance Student Learning

One of the central aspects of specialization in modern software engineering is security engineering. With contemporary systems being networked and entrusted with mission-critical functionality, cybersecurity is an essential quality that must be developed into the system from the first moment. This comprises issues such as privacy, authentication, robustness against vulnerabilities, and hardness against external attacks. To do so, software engineering specialists with appreciation for the detailed intricacies of security engineering as well as broad experience are required. The Cybersecurity Body of Knowledge (CyBOK, [1]) has been developed to serve, among other uses, as an instructional reference for educators to prepare the next generation of security engineers in this respect. While the CyBOK describes the intricacies of security engineering in plentiful detail, it remains up to the instructor to convey this curriculum in a way that fosters understanding and forms experience as well as competencies in the learner. To aid the instructors who use the CyBOK, we have devised a library of 18 case studies that are specifically designed to target CyBOK knowledge areas. The case studies are sufficiently detailed to allow adoption with minimal overhead on the instructor. In this paper, we describe the case study mapping to the CyBOK, and classroom results of one exemplary case study, demonstrating improved understanding by students

Threat Modeling the Cloud Computing, Mobile Device Toting, Consumerized Enterprise – an overview of considerations

A megatrend triad comprised of cloud computing, converged mobile devices, and consumerization presents complexchallenges to organizations trying to identify, assess, and mitigate risk. Cloud computing offers elastic just-in-time serviceswithout infrastructure overhead. However, visibility and control are compromised. Converged mobile devices offer integratedcomputing power and connectivity. However, end point control and security are compromised. Consumerization offersproductivity gains and reduction in support costs. However, end point control and the organization’s perimeter arecompromised. This paper presents an overview of considerations for organizations impacted by the megatrend triad and,subsequently, shows how threat modeling techniques can be used to identify, assess, and mitigate the attendant risks

Guest editorial preface: special issue on Evolving security and privacy requirements engineering (ESPRE'14) 2014, Sweden.

At the Evolving Security and Privacy Requirements Engineering (ESPRE) workshop, practitioners and researchers interested in security and privacy requirements gather to discuss significant issues in the field. In particular, ESPRE participants probe the interfaces between requirements engineering, security and privacy. At ESPRE workshops, participants also take the first step in evolving security and privacy requirements engineering to meet the needs of stakeholders, ranging from business analysts and security engineers to technology entrepreneurs and privacy advocates. The most recent ESPRE workshop was held in Karlskrona, Sweden in August 2014, and was co-located with the RE 2014 conference

Outlook on Groundwater: Elementary

Table of Contents: --- Forward--- Activity 1: Life on Planet X--- Activity 2: Dew Drop Inn--- Activity 3: Water Magic--- Activity 4: Drip Trip--- Activity 5: Checking in at Aquifer Acres--- Activity 6: Percolation Race--- Activity 7: Checking Out of Aquifer Acres--- Activity 8: What Goes Down, Comes Up!--- Activity 9: Inspect That Drop--- Activity 10: Old McDump\u27s Farm--- Activity 11: Pumps and Pipes--- Activity 12: Who Dumped It?--- Dilemmas--- Glossaryhttps://scholarworks.uni.edu/k12_supplements/1007/thumbnail.jp

Threat Modeling the Enterprise

Current threat modeling methodologies and tools are biased toward systems under development. While, organizations whose IT portfolio is made up of a large number of legacy systems, that run on fundamentally different and incongruous platforms and with little or no documentation, are left with few options. Rational, objective analysis of threats to assets and exploitable vulnerabilities requires, the portfolio to be represented in a consistent and understandable way based on a systematic, prescriptive, collaborative process that is usable but not burdensome. This paper describes a way to represent an IT portfolio from a security perspective using UML deployment diagrams and, subsequently, a process for threat modeling within that portfolio. To accomplish this, the UML deployment diagram was extended, a template created, and a process defined

Development of a Master of Software Assurance Reference Curriculum

The Next Generation Air Traffic Management system (NextGen) is a blueprint of the future National Airspace System. Supporting NextGen is a nation-wide Aviation Simulation Network (ASN), which allows integration of a variety of real-time simulations to facilitate development and validation of the NextGen software by simulating a wide range of operational scenarios. The ASN system is an environment, including both simulated and human-in-the-loop real-life components (pilots and air traffic controllers).Real Time Distributed Simulation (RTDS) developed at Embry-Riddle Aeronautical University, a suite of applications providing low and medium fidelity en-route simulation capabilities, is one of the simulations contributing to the ASN. To support the interconnectivity with the ASN, we designed and implemented a dedicated gateway acting as an intermediary, providing logic for two-way communication and transfer messages between RTDS and ASN and storage for the exchanged data. It has been necessary to develop and analyze safety/security requirements for the gateway software based on analysis of system assets, hazards, threats and attacks related to ultimate real-life future implementation. Due to the nature of the system, the focus was placed on communication security and the related safety of the impacted aircraft in the simulation scenario. To support development of safety/security requirements, a well-established fault tree analysis technique was used. This fault tree model-based analysis, supported by a commercial tool, was a foundation to propose mitigations assuring the gateway system safety and security